“Keep It Simple” and Just Call Me SOC

You have probably seen blog articles circulating about the "new change" to SSAE 18, including Schellman’s article in Accounting Today. Yes, the new standard imposes some important but relatively minor changes; changes which guide us, the service auditors performing these assessments. You may even see some adjustments to our approach in your next SOC examination.

This is nothing new. Standards bodies, be it the AICPA, PCI Standards Council, ISO accreditation bodies, or FedRAMP PMO, frequently issue different types of guidance to assessors. These updates can be related to a new standard, pronouncement, clarification, guidance, or passed along via training modules. Whenever a change requires testing modification, your auditor should be advising you on the impacts to you and your assessment, prior to commencement. Other than that, it is largely business as usual.

You Don’t Want to Turn Back Time to SSAE 16

Many companies were (and are) technically inaccurate by combining the SSAE 16 standards and SOC 2 reports. I've seen countless references to SSAE 16 SOC 2 reports. The SSAE 16 standard governs service auditors who perform examinations for SOC 1 reports. SOC 2 reports are guided and prepared under the broader AT Section 101 attestation standards (which are going away in May). Going forward, the nomenclature is simpler as all SOC reports are prepared under one attestation standard – SSAE 18.

Who Really Cares and Who is Affected?

SSAE 18 guides the service auditor, not your organization. It could change again next year; however, what hasn’t changed is that your organization would still undergo an attestation. If you received a Service Organization Control (SOC) report in prior years, you will still receive a SOC 1, SOC 2, or SOC 3 report, period.

My advice to you, as a CPA who spent several years in product marketing, is to avoid the overhype of the latest new term. As Van Morrison says, “Well you got to keep it, keep it simple and that's that” - so just call it a SOC report, and let your auditors deal with the minutia.

About the Author

Doug Barbin is a Principal at Schellman & Company, LLC. Doug leads all service delivery for the western US and is also oversees the firm-wide growth and execution for security assessment services including PCI, FedRAMP, and penetration testing. He has over 19 years of experience. A strong advocate for cloud computing assurance, Doug spends much of his time working with cloud computing companies has participated in various cloud working groups with the Cloud Security Alliance and PCI Security Standards Council among others.